安全存储数据库凭据
[英]Secure storage of database credentials
问题描述
Had a major problem recently where my web hosting company messed up and all my php files were displayed in plain text. 
最近有一个主要问题,我的网络托管公司搞砸了,我的所有php文件都以纯文本显示。 This was a major issue for me for obvious reasons. 出于显而易见的原因,这对我来说是个主要问题。 Mainly because mysql database details were exposed. 主要是因为暴露了mysql数据库的细节。
I am now trying to change the way in which my php files get the login information for the database so that this will never happen again even if the hosting company fail me. 我现在正试图改变我的php文件获取数据库登录信息的方式,这样即使托管公司让我失败也不会再发生这种情况。
my current set up looks like this : 我目前的设置如下:
include 'info.php';
class Login {
var $host;
var $username;
var $password;
var $db;
var $url;
Inside the info.php is the username, password and so on for the database. info.php里面是数据库的用户名,密码等。 I want to make it so that the info.php file can never be viewed and only my .php files are able to access info.php in order to get the login infomation. 我想这样做,以便永远不会查看info.php文件,只有我的.php文件能够访问info.php才能获得登录信息。
How can i set this up? 我怎么设置它? This is a bit of a tricky one for me to explain so please dont be harsh and -1 me for a bad description.. just ask and i will clear up any gaps in my description. 这对我来说是一个棘手的解释所以请不要苛刻和-1我的描述不好..只是问问我将清除我的描述中的任何空白。
3 个解决方案
解决方案1
5 已采纳 2012-05-30 22:52:32
Simply place info.php outside your webroot. 只需将info.php放在您的webroot之外。 This way, you can include it, but should your web hosting f*#$ up, no one else can view that file, even as plain text. 这样,您可以包含它,但是如果您的网站托管f *#$ up,其他任何人都无法查看该文件,即使是纯文本也是如此。
You would then include it like this: 然后你会像这样包括它:
include('../info.php');
This way, even if someone finds out that you have a file called info.php that stores all your passwords, they cannot point their browser to that file. 这样,即使有人发现你有一个名为info.php的文件存储了你的所有密码,他们也无法将浏览器指向该文件。
The above would be the ideal and most watertight solution. 以上将是理想和最无懈可击的解决方案。 However, if that is not possible due to permissions, the other option would be to place all sensitive files in a directory and block direct access to that directory using a .htaccess file. 但是,如果由于权限而无法实现,则另一个选项是将所有敏感文件放在目录中,并使用.htaccess文件阻止对该目录的直接访问。
In the directory you want to block off access to, place an .htaccess file with the following contents: 在要阻止访问的目录中,放置一个.htaccess文件,其中包含以下内容:
deny from all
解决方案2
1 2012-05-30 22:57:07
If for some reason xbonez's answer doesn't work (lets say one doesn't have access to a non document_root folder).. You can achieve the same thing by using .htaccess 如果由于某种原因xbonez的答案不起作用(假设一个人无法访问非document_root文件夹)..你可以通过使用.htaccess来实现同样的目的
<files info.php>
order allow,deny
deny from all
</files>
This, should in theory (non tested) protect the file from being used in the browser but not block php from including said file. 这应该在理论上(未经测试)保护文件不被浏览器使用但不阻止php包含所述文件。
解决方案3
-2 2012-05-30 22:56:45
创建重定向到文件的表单以获取示例“requests.php”,并为您的所有请求启用它。如果您的数据正确重定向到特定页面,如果不这样做。在交换机的末尾放置anoter重定向用这种方式,用户看不到那个页面。不要把它放在那里或者其他东西 - 只有逻辑。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.